HomePhabricator
Diffusion Phabricator 94d340fcffab

Include OAuth targets in "form-action" Content-Security-Policy
94d340fcffab
Actions

Description

Include OAuth targets in "form-action" Content-Security-Policy

Summary:
Ref T4340. Some "Register/Login" and "Link External Account" buttons are forms which submit to third-party sites. Whitelist these targets when pages render an OAuth form.

Safari, at least, also prevents a redirect to a third-party domain after a form submission to the local domain, so when we first redirect locally (as with Twitter and other OAuth1 providers) we need to authorize an additional URI.

Test Plan: Clicked all my registration buttons locally without hitting CSP issues.

Maniphest Tasks: T4340

Differential Revision: https://secure.phabricator.com/D19159

Details

Provenance
epriestleyAuthored on Mar 1 2018, 3:07 AM
epriestleyPushed on Mar 1 2018, 3:28 AM
Differential Revision
D19159: Include OAuth targets in "form-action" Content-Security-Policy
Parents
rPd5befb1a0ea3: Block use of "<base />" in the Content Security Policy
Branches
Unknown
Tags
Unknown
Tasks
T4340: Implement Content-Security-Policy and Strict-Transport-Security headers
Build Status
Buildable 19709
Build 26693: Run Core Tests

Changes (6)

PathSize
src/
aphront/
response/
applications/
auth/
provider/
phortune/
provider/
view/
form/
control/
page/

rP94d340fcffab

View Options

src/aphront/response/AphrontResponse.php

Loading...
View Options

src/applications/auth/provider/PhabricatorAuthProvider.php

Loading...
View Options

src/applications/auth/provider/PhabricatorOAuth1AuthProvider.php

Loading...
View Options

src/applications/phortune/provider/PhortuneStripePaymentProvider.php

Loading...
View Options

src/view/form/control/AphrontFormRecaptchaControl.php

Loading...
View Options

src/view/page/PhabricatorStandardPageView.php

Loading...
Phabricator ยท Built by Phacility